{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detect Credential Dumping via reg.exe T1003.002"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access. MITRE ATT&CK"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {
    "execution": {
     "iopub.status.idle": "2020-10-19T19:55:18.824958Z",
     "shell.execute_reply": "2020-10-19T19:55:18.824476Z",
     "shell.execute_reply.started": "2020-10-19T19:55:15.531094Z"
    },
    "scrolled": true
   },
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      " Finished.                     "
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>sysmon</th>\n",
       "      <th>cmd_line</th>\n",
       "      <th>value</th>\n",
       "      <th>process_name</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>{'EventTime': '2020-06-30 10:47:11', 'Hostname...</td>\n",
       "      <td>\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKL...</td>\n",
       "      <td>{\"EventTime\":\"2020-06-30 10:47:11\",\"Hostname\":...</td>\n",
       "      <td>C:\\Windows\\System32\\cmd.exe</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                              sysmon  ...                 process_name\n",
       "0  {'EventTime': '2020-06-30 10:47:11', 'Hostname...  ...  C:\\Windows\\System32\\cmd.exe\n",
       "\n",
       "[1 rows x 4 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "\n"
     ]
    },
    {
     "data": {
      "text/plain": [
       "<spl2_kernel.spl2_runner.SPL2Job at 0x7f01d58153d0>"
      ]
     },
     "execution_count": 1,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "%%spl2\n",
    "/* read attack dataset generated by Splunk Attack Range */\n",
    "| from read_text(\"s3://smle-experiments/datasets/attack-range/T1003.002/attack_data.txt\")\n",
    "/* cast data as JSON */\n",
    "| eval sysmon=from_json_object(cast(value, \"string\"))\n",
    "/* read in the process name */\n",
    "| eval process_name=ucast(map_get(sysmon, \"Image\"), \"string\", \"\") \n",
    "/* filter on cmd.exe and reg.exe */\n",
    "| where process_name LIKE \"%cmd.exe%\" OR process_name=\"%reg.exe%\"\n",
    "/* read in the process name */\n",
    "| eval cmd_line=ucast(map_get(sysmon, \"CommandLine\"), \"string\", \"\") \n",
    "/* filter by any command line string that has the word save and matches targetted registry */\n",
    "| where cmd_line != null  AND \n",
    "        match_regex(cmd_line, /(?i)save\\s+/)=true AND\n",
    "        ( match_regex(cmd_line, /(?i)HKLM\\\\Security/)=true OR\n",
    "          match_regex(cmd_line, /(?i)HKLM\\\\SAM/)=true OR\n",
    "          match_regex(cmd_line, /(?i)HKLM\\\\System/)=true OR\n",
    "          match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\Security/)=true OR\n",
    "          match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\SAM/)=true OR\n",
    "          match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\System/)=true \n",
    "        );"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "SPL2",
   "language": "SPL",
   "name": "spl2"
  },
  "language_info": {
   "mimetype": "text/spl",
   "name": "SPL"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
